@frontmcp/sdk 0.4.1 → 0.5.0

package/src/auth/session/transport-session.manager.d.ts

@@ -0,0 +1,101 @@
+import { TransportSession, TransportProtocol, StoredSession, SessionStore, SessionStorageConfig, TransportState, EncryptedBlob } from './transport-session.types';
+/**
+ * In-memory session store implementation
+ */
+export declare class InMemorySessionStore implements SessionStore {
+    private readonly sessions;
+    get(sessionId: string): Promise<StoredSession | null>;
+    set(sessionId: string, session: StoredSession, ttlMs?: number): Promise<void>;
+    delete(sessionId: string): Promise<void>;
+    exists(sessionId: string): Promise<boolean>;
+    allocId(): string;
+    /**
+     * Clean up expired sessions
+     */
+    cleanup(): number;
+    /**
+     * Get count of active sessions
+     */
+    get size(): number;
+}
+/**
+ * Transport Session Manager
+ *
+ * Manages transport sessions independent of authorization.
+ * Supports both stateless (JWT-encrypted) and stateful (store-backed) modes.
+ *
+ * Key concepts:
+ * - Authorization = User identity + permissions (1 per user token)
+ * - TransportSession = Protocol-specific connection (N per authorization)
+ * - One authorization can have multiple transport sessions (e.g., multiple browser tabs)
+ */
+export declare class TransportSessionManager {
+    private readonly store;
+    private readonly mode;
+    private readonly encryptionKey;
+    constructor(config: SessionStorageConfig & {
+        encryptionSecret?: string;
+    });
+    /**
+     * Create a new transport session for an authorization
+     *
+     * @param authorizationId - The authorization this session belongs to
+     * @param protocol - Transport protocol (sse, streamable-http, etc.)
+     * @param options - Additional session options
+     * @returns The created transport session
+     */
+    createSession(authorizationId: string, protocol: TransportProtocol, options?: {
+        expiresAt?: number;
+        fingerprint?: string;
+        transportState?: TransportState;
+        tokens?: Record<string, EncryptedBlob>;
+    }): Promise<TransportSession>;
+    /**
+     * Get an existing session by ID
+     *
+     * @param sessionId - The session ID (encrypted JWT or UUID)
+     * @returns The session if found and valid, null otherwise
+     */
+    getSession(sessionId: string): Promise<TransportSession | null>;
+    /**
+     * Get stored session with tokens (for orchestrated mode)
+     */
+    getStoredSession(sessionId: string): Promise<StoredSession | null>;
+    /**
+     * Update session state
+     */
+    updateSession(sessionId: string, updates: {
+        transportState?: TransportState;
+        expiresAt?: number;
+    }): Promise<boolean>;
+    /**
+     * Delete a session
+     */
+    deleteSession(sessionId: string): Promise<boolean>;
+    /**
+     * Encode a session as an encrypted JWT for the Mcp-Session-Id header
+     *
+     * @param session - The transport session to encode
+     * @param additionalState - Additional encrypted state for stateless mode
+     * @returns Encrypted session JWT
+     */
+    encodeSessionJwt(session: TransportSession, additionalState?: {
+        state?: unknown;
+        tokens?: Record<string, unknown>;
+    }): string;
+    /**
+     * Decode an encrypted session JWT
+     *
+     * @param jwt - The encrypted session JWT
+     * @returns Decoded session or null if invalid
+     */
+    private decryptSessionJwt;
+    /**
+     * Check if a session exists and is valid
+     */
+    sessionExists(sessionId: string): Promise<boolean>;
+    /**
+     * Get the storage mode
+     */
+    get storageMode(): 'stateless' | 'stateful';
+}

package/src/auth/session/transport-session.manager.js

@@ -0,0 +1,300 @@
+"use strict";
+// auth/session/transport-session.manager.ts
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TransportSessionManager = exports.InMemorySessionStore = void 0;
+const crypto_1 = require("crypto");
+const session_id_utils_1 = require("./utils/session-id.utils");
+const session_crypto_1 = require("./session.crypto");
+const authorization_class_1 = require("../authorization/authorization.class");
+/**
+ * In-memory session store implementation
+ */
+class InMemorySessionStore {
+    sessions = new Map();
+    async get(sessionId) {
+        const stored = this.sessions.get(sessionId);
+        if (!stored)
+            return null;
+        // Check expiration
+        if (stored.session.expiresAt && stored.session.expiresAt < Date.now()) {
+            this.sessions.delete(sessionId);
+            return null;
+        }
+        // Update last accessed
+        stored.lastAccessedAt = Date.now();
+        return stored;
+    }
+    async set(sessionId, session, ttlMs) {
+        if (ttlMs) {
+            session.session.expiresAt = Date.now() + ttlMs;
+        }
+        this.sessions.set(sessionId, session);
+    }
+    async delete(sessionId) {
+        this.sessions.delete(sessionId);
+    }
+    async exists(sessionId) {
+        const stored = this.sessions.get(sessionId);
+        if (!stored)
+            return false;
+        // Check expiration
+        if (stored.session.expiresAt && stored.session.expiresAt < Date.now()) {
+            this.sessions.delete(sessionId);
+            return false;
+        }
+        return true;
+    }
+    allocId() {
+        return (0, crypto_1.randomUUID)();
+    }
+    /**
+     * Clean up expired sessions
+     */
+    cleanup() {
+        const now = Date.now();
+        let cleaned = 0;
+        for (const [id, stored] of this.sessions) {
+            if (stored.session.expiresAt && stored.session.expiresAt < now) {
+                this.sessions.delete(id);
+                cleaned++;
+            }
+        }
+        return cleaned;
+    }
+    /**
+     * Get count of active sessions
+     */
+    get size() {
+        return this.sessions.size;
+    }
+}
+exports.InMemorySessionStore = InMemorySessionStore;
+/**
+ * Transport Session Manager
+ *
+ * Manages transport sessions independent of authorization.
+ * Supports both stateless (JWT-encrypted) and stateful (store-backed) modes.
+ *
+ * Key concepts:
+ * - Authorization = User identity + permissions (1 per user token)
+ * - TransportSession = Protocol-specific connection (N per authorization)
+ * - One authorization can have multiple transport sessions (e.g., multiple browser tabs)
+ */
+class TransportSessionManager {
+    store;
+    mode;
+    encryptionKey;
+    constructor(config) {
+        this.mode = config.mode;
+        if (config.mode === 'stateless') {
+            this.store = new InMemorySessionStore(); // Used only for allocation
+        }
+        else if (config.store === 'memory') {
+            this.store = new InMemorySessionStore();
+        }
+        else if (config.store === 'redis') {
+            // Redis store would be instantiated here
+            // For now, fall back to in-memory
+            // TODO: Implement RedisSessionStore
+            console.warn('[TransportSessionManager] Redis store requested but not implemented - falling back to in-memory');
+            this.store = new InMemorySessionStore();
+        }
+        else {
+            this.store = new InMemorySessionStore();
+        }
+        // Derive encryption key from secret or generate one
+        const secret = config.encryptionSecret || process.env['MCP_SESSION_SECRET'];
+        if (!secret) {
+            if (process.env['NODE_ENV'] === 'production') {
+                throw new Error('[TransportSessionManager] MCP_SESSION_SECRET or encryptionSecret is required in production. ' +
+                    'Set the MCP_SESSION_SECRET environment variable or provide encryptionSecret in config.');
+            }
+            // Development fallback - NOT secure for production
+            console.warn('[TransportSessionManager] Using machine ID as session encryption secret - NOT SECURE FOR PRODUCTION. ' +
+                'Set MCP_SESSION_SECRET or provide encryptionSecret in config.');
+        }
+        const effectiveSecret = secret || (0, authorization_class_1.getMachineId)();
+        this.encryptionKey = (0, session_crypto_1.hkdfSha256)(Buffer.from(effectiveSecret), Buffer.from('mcp-session-salt'), Buffer.from('transport-session'), 32);
+    }
+    /**
+     * Create a new transport session for an authorization
+     *
+     * @param authorizationId - The authorization this session belongs to
+     * @param protocol - Transport protocol (sse, streamable-http, etc.)
+     * @param options - Additional session options
+     * @returns The created transport session
+     */
+    async createSession(authorizationId, protocol, options = {}) {
+        const sessionId = this.store.allocId();
+        const session = {
+            id: sessionId,
+            authorizationId,
+            protocol,
+            createdAt: Date.now(),
+            expiresAt: options.expiresAt,
+            nodeId: (0, authorization_class_1.getMachineId)(),
+            clientFingerprint: options.fingerprint,
+            transportState: options.transportState,
+        };
+        if (this.mode === 'stateful') {
+            // Store session in persistent store
+            const stored = {
+                session,
+                authorizationId,
+                tokens: options.tokens,
+                createdAt: Date.now(),
+                lastAccessedAt: Date.now(),
+            };
+            await this.store.set(sessionId, stored);
+        }
+        return session;
+    }
+    /**
+     * Get an existing session by ID
+     *
+     * @param sessionId - The session ID (encrypted JWT or UUID)
+     * @returns The session if found and valid, null otherwise
+     */
+    async getSession(sessionId) {
+        if (this.mode === 'stateless') {
+            // Decrypt session from JWT
+            return this.decryptSessionJwt(sessionId);
+        }
+        // Stateful: lookup in store
+        const stored = await this.store.get(sessionId);
+        return stored?.session ?? null;
+    }
+    /**
+     * Get stored session with tokens (for orchestrated mode)
+     */
+    async getStoredSession(sessionId) {
+        if (this.mode === 'stateless') {
+            // In stateless mode, we don't have stored sessions
+            return null;
+        }
+        return this.store.get(sessionId);
+    }
+    /**
+     * Update session state
+     */
+    async updateSession(sessionId, updates) {
+        if (this.mode === 'stateless') {
+            // Stateless sessions are immutable - caller should create new session JWT
+            return false;
+        }
+        const stored = await this.store.get(sessionId);
+        if (!stored)
+            return false;
+        if (updates.transportState) {
+            stored.session.transportState = updates.transportState;
+        }
+        if (updates.expiresAt) {
+            stored.session.expiresAt = updates.expiresAt;
+        }
+        stored.lastAccessedAt = Date.now();
+        await this.store.set(sessionId, stored);
+        return true;
+    }
+    /**
+     * Delete a session
+     */
+    async deleteSession(sessionId) {
+        if (this.mode === 'stateless') {
+            // Stateless sessions can't be revoked
+            return false;
+        }
+        const exists = await this.store.exists(sessionId);
+        if (exists) {
+            await this.store.delete(sessionId);
+        }
+        return exists;
+    }
+    /**
+     * Encode a session as an encrypted JWT for the Mcp-Session-Id header
+     *
+     * @param session - The transport session to encode
+     * @param additionalState - Additional encrypted state for stateless mode
+     * @returns Encrypted session JWT
+     */
+    encodeSessionJwt(session, additionalState) {
+        const payload = {
+            sid: session.id,
+            aid: session.authorizationId,
+            proto: session.protocol,
+            nid: session.nodeId,
+            iat: Math.floor(Date.now() / 1000),
+            exp: session.expiresAt ? Math.floor(session.expiresAt / 1000) : undefined,
+        };
+        if (this.mode === 'stateless' && additionalState) {
+            const statelessPayload = payload;
+            if (additionalState.state) {
+                const encrypted = (0, session_crypto_1.encryptAesGcm)(this.encryptionKey, JSON.stringify(additionalState.state));
+                statelessPayload.state = `${encrypted.iv}.${encrypted.tag}.${encrypted.data}`;
+            }
+            if (additionalState.tokens) {
+                const encrypted = (0, session_crypto_1.encryptAesGcm)(this.encryptionKey, JSON.stringify(additionalState.tokens));
+                statelessPayload.tokens = `${encrypted.iv}.${encrypted.tag}.${encrypted.data}`;
+            }
+        }
+        return (0, session_id_utils_1.encryptJson)(payload);
+    }
+    /**
+     * Decode an encrypted session JWT
+     *
+     * @param jwt - The encrypted session JWT
+     * @returns Decoded session or null if invalid
+     */
+    decryptSessionJwt(jwt) {
+        try {
+            // The encryptJson format is iv.tag.ct (base64url)
+            // We need to decrypt it using the same key
+            const parts = jwt.split('.');
+            if (parts.length !== 3)
+                return null;
+            const [ivB64, tagB64, ctB64] = parts;
+            const iv = Buffer.from(ivB64.replace(/-/g, '+').replace(/_/g, '/'), 'base64');
+            const tag = Buffer.from(tagB64.replace(/-/g, '+').replace(/_/g, '/'), 'base64');
+            const data = Buffer.from(ctB64.replace(/-/g, '+').replace(/_/g, '/'), 'base64');
+            const decrypted = (0, session_crypto_1.decryptAesGcm)(this.encryptionKey, {
+                alg: 'A256GCM',
+                iv: iv.toString('base64url'),
+                tag: tag.toString('base64url'),
+                data: data.toString('base64url'),
+            });
+            const payload = JSON.parse(decrypted);
+            // Validate expiration
+            if (payload.exp && payload.exp * 1000 < Date.now()) {
+                return null;
+            }
+            return {
+                id: payload.sid,
+                authorizationId: payload.aid,
+                protocol: payload.proto,
+                createdAt: payload.iat * 1000,
+                expiresAt: payload.exp ? payload.exp * 1000 : undefined,
+                nodeId: payload.nid,
+            };
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Check if a session exists and is valid
+     */
+    async sessionExists(sessionId) {
+        if (this.mode === 'stateless') {
+            const session = this.decryptSessionJwt(sessionId);
+            return session !== null;
+        }
+        return this.store.exists(sessionId);
+    }
+    /**
+     * Get the storage mode
+     */
+    get storageMode() {
+        return this.mode;
+    }
+}
+exports.TransportSessionManager = TransportSessionManager;
+//# sourceMappingURL=transport-session.manager.js.map

package/src/auth/session/transport-session.manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"transport-session.manager.js","sourceRoot":"","sources":["../../../../src/auth/session/transport-session.manager.ts"],"names":[],"mappings":";AAAA,4CAA4C;;;AAE5C,mCAAoC;AAYpC,+DAAuD;AACvD,qDAA4E;AAC5E,8EAAoE;AAEpE;;GAEG;AACH,MAAa,oBAAoB;IACd,QAAQ,GAAG,IAAI,GAAG,EAAyB,CAAC;IAE7D,KAAK,CAAC,GAAG,CAAC,SAAiB;QACzB,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC5C,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,mBAAmB;QACnB,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YACtE,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAChC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,uBAAuB;QACvB,MAAM,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACnC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,SAAiB,EAAE,OAAsB,EAAE,KAAc;QACjE,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;QACjD,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB;QAC5B,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB;QAC5B,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC5C,IAAI,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAE1B,mBAAmB;QACnB,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YACtE,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAChC,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO;QACL,OAAO,IAAA,mBAAU,GAAE,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,OAAO;QACL,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,KAAK,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACzC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;gBAC/D,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;gBACzB,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;IAC5B,CAAC;CACF;AAlED,oDAkEC;AAED;;;;;;;;;;GAUG;AACH,MAAa,uBAAuB;IACjB,KAAK,CAAe;IACpB,IAAI,CAA2B;IAC/B,aAAa,CAAS;IAEvC,YAAY,MAA4D;QACtE,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;QAExB,IAAI,MAAM,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAChC,IAAI,CAAC,KAAK,GAAG,IAAI,oBAAoB,EAAE,CAAC,CAAC,2BAA2B;QACtE,CAAC;aAAM,IAAI,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrC,IAAI,CAAC,KAAK,GAAG,IAAI,oBAAoB,EAAE,CAAC;QAC1C,CAAC;aAAM,IAAI,MAAM,CAAC,KAAK,KAAK,OAAO,EAAE,CAAC;YACpC,yCAAyC;YACzC,kCAAkC;YAClC,oCAAoC;YACpC,OAAO,CAAC,IAAI,CAAC,iGAAiG,CAAC,CAAC;YAChH,IAAI,CAAC,KAAK,GAAG,IAAI,oBAAoB,EAAE,CAAC;QAC1C,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,KAAK,GAAG,IAAI,oBAAoB,EAAE,CAAC;QAC1C,CAAC;QAED,oDAAoD;QACpD,MAAM,MAAM,GAAG,MAAM,CAAC,gBAAgB,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;QAC5E,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,YAAY,EAAE,CAAC;gBAC7C,MAAM,IAAI,KAAK,CACb,8FAA8F;oBAC5F,wFAAwF,CAC3F,CAAC;YACJ,CAAC;YACD,mDAAmD;YACnD,OAAO,CAAC,IAAI,CACV,uGAAuG;gBACrG,+DAA+D,CAClE,CAAC;QACJ,CAAC;QACD,MAAM,eAAe,GAAG,MAAM,IAAI,IAAA,kCAAY,GAAE,CAAC;QACjD,IAAI,CAAC,aAAa,GAAG,IAAA,2BAAU,EAC7B,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,EAC5B,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,EAC/B,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,EAChC,EAAE,CACH,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,aAAa,CACjB,eAAuB,EACvB,QAA2B,EAC3B,UAKI,EAAE;QAEN,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;QAEvC,MAAM,OAAO,GAAqB;YAChC,EAAE,EAAE,SAAS;YACb,eAAe;YACf,QAAQ;YACR,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,MAAM,EAAE,IAAA,kCAAY,GAAE;YACtB,iBAAiB,EAAE,OAAO,CAAC,WAAW;YACtC,cAAc,EAAE,OAAO,CAAC,cAAc;SACvC,CAAC;QAEF,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YAC7B,oCAAoC;YACpC,MAAM,MAAM,GAAkB;gBAC5B,OAAO;gBACP,eAAe;gBACf,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;gBACrB,cAAc,EAAE,IAAI,CAAC,GAAG,EAAE;aAC3B,CAAC;YACF,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAC1C,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,UAAU,CAAC,SAAiB;QAChC,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAC9B,2BAA2B;YAC3B,OAAO,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;QAC3C,CAAC;QAED,4BAA4B;QAC5B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC/C,OAAO,MAAM,EAAE,OAAO,IAAI,IAAI,CAAC;IACjC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,gBAAgB,CAAC,SAAiB;QACtC,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAC9B,mDAAmD;YACnD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACnC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CACjB,SAAiB,EACjB,OAGC;QAED,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAC9B,0EAA0E;YAC1E,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC/C,IAAI,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAE1B,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;YAC3B,MAAM,CAAC,OAAO,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC;QACzD,CAAC;QACD,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;YACtB,MAAM,CAAC,OAAO,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;QAC/C,CAAC;QACD,MAAM,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEnC,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QACxC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,SAAiB;QACnC,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAC9B,sCAAsC;YACtC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAClD,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACrC,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;OAMG;IACH,gBAAgB,CACd,OAAyB,EACzB,eAGC;QAED,MAAM,OAAO,GAAsB;YACjC,GAAG,EAAE,OAAO,CAAC,EAAE;YACf,GAAG,EAAE,OAAO,CAAC,eAAe;YAC5B,KAAK,EAAE,OAAO,CAAC,QAAQ;YACvB,GAAG,EAAE,OAAO,CAAC,MAAM;YACnB,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;YAClC,GAAG,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;SAC1E,CAAC;QAEF,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,IAAI,eAAe,EAAE,CAAC;YACjD,MAAM,gBAAgB,GAAG,OAAqC,CAAC;YAE/D,IAAI,eAAe,CAAC,KAAK,EAAE,CAAC;gBAC1B,MAAM,SAAS,GAAG,IAAA,8BAAa,EAAC,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC;gBAC3F,gBAAgB,CAAC,KAAK,GAAG,GAAG,SAAS,CAAC,EAAE,IAAI,SAAS,CAAC,GAAG,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;YAChF,CAAC;YAED,IAAI,eAAe,CAAC,MAAM,EAAE,CAAC;gBAC3B,MAAM,SAAS,GAAG,IAAA,8BAAa,EAAC,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC;gBAC5F,gBAAgB,CAAC,MAAM,GAAG,GAAG,SAAS,CAAC,EAAE,IAAI,SAAS,CAAC,GAAG,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;YACjF,CAAC;QACH,CAAC;QAED,OAAO,IAAA,8BAAW,EAAC,OAAO,CAAC,CAAC;IAC9B,CAAC;IAED;;;;;OAKG;IACK,iBAAiB,CAAC,GAAW;QACnC,IAAI,CAAC;YACH,kDAAkD;YAClD,2CAA2C;YAC3C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YAEpC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,GAAG,KAAK,CAAC;YACrC,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC;YAC9E,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC;YAChF,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC;YAEhF,MAAM,SAAS,GAAG,IAAA,8BAAa,EAAC,IAAI,CAAC,aAAa,EAAE;gBAClD,GAAG,EAAE,SAAS;gBACd,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAC5B,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAC9B,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;aACjC,CAAC,CAAC;YAEH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAsB,CAAC;YAE3D,sBAAsB;YACtB,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBACnD,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO;gBACL,EAAE,EAAE,OAAO,CAAC,GAAG;gBACf,eAAe,EAAE,OAAO,CAAC,GAAG;gBAC5B,QAAQ,EAAE,OAAO,CAAC,KAAK;gBACvB,SAAS,EAAE,OAAO,CAAC,GAAG,GAAG,IAAI;gBAC7B,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS;gBACvD,MAAM,EAAE,OAAO,CAAC,GAAG;aACpB,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,SAAiB;QACnC,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;YAClD,OAAO,OAAO,KAAK,IAAI,CAAC;QAC1B,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACtC,CAAC;IAED;;OAEG;IACH,IAAI,WAAW;QACb,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;CACF;AA5QD,0DA4QC","sourcesContent":["// auth/session/transport-session.manager.ts\n\nimport { randomUUID } from 'crypto';\nimport {\n  TransportSession,\n  TransportProtocol,\n  SessionJwtPayload,\n  StatelessSessionJwtPayload,\n  StoredSession,\n  SessionStore,\n  SessionStorageConfig,\n  TransportState,\n  EncryptedBlob,\n} from './transport-session.types';\nimport { encryptJson } from './utils/session-id.utils';\nimport { encryptAesGcm, decryptAesGcm, hkdfSha256 } from './session.crypto';\nimport { getMachineId } from '../authorization/authorization.class';\n\n/**\n * In-memory session store implementation\n */\nexport class InMemorySessionStore implements SessionStore {\n  private readonly sessions = new Map<string, StoredSession>();\n\n  async get(sessionId: string): Promise<StoredSession | null> {\n    const stored = this.sessions.get(sessionId);\n    if (!stored) return null;\n\n    // Check expiration\n    if (stored.session.expiresAt && stored.session.expiresAt < Date.now()) {\n      this.sessions.delete(sessionId);\n      return null;\n    }\n\n    // Update last accessed\n    stored.lastAccessedAt = Date.now();\n    return stored;\n  }\n\n  async set(sessionId: string, session: StoredSession, ttlMs?: number): Promise<void> {\n    if (ttlMs) {\n      session.session.expiresAt = Date.now() + ttlMs;\n    }\n    this.sessions.set(sessionId, session);\n  }\n\n  async delete(sessionId: string): Promise<void> {\n    this.sessions.delete(sessionId);\n  }\n\n  async exists(sessionId: string): Promise<boolean> {\n    const stored = this.sessions.get(sessionId);\n    if (!stored) return false;\n\n    // Check expiration\n    if (stored.session.expiresAt && stored.session.expiresAt < Date.now()) {\n      this.sessions.delete(sessionId);\n      return false;\n    }\n    return true;\n  }\n\n  allocId(): string {\n    return randomUUID();\n  }\n\n  /**\n   * Clean up expired sessions\n   */\n  cleanup(): number {\n    const now = Date.now();\n    let cleaned = 0;\n    for (const [id, stored] of this.sessions) {\n      if (stored.session.expiresAt && stored.session.expiresAt < now) {\n        this.sessions.delete(id);\n        cleaned++;\n      }\n    }\n    return cleaned;\n  }\n\n  /**\n   * Get count of active sessions\n   */\n  get size(): number {\n    return this.sessions.size;\n  }\n}\n\n/**\n * Transport Session Manager\n *\n * Manages transport sessions independent of authorization.\n * Supports both stateless (JWT-encrypted) and stateful (store-backed) modes.\n *\n * Key concepts:\n * - Authorization = User identity + permissions (1 per user token)\n * - TransportSession = Protocol-specific connection (N per authorization)\n * - One authorization can have multiple transport sessions (e.g., multiple browser tabs)\n */\nexport class TransportSessionManager {\n  private readonly store: SessionStore;\n  private readonly mode: 'stateless' | 'stateful';\n  private readonly encryptionKey: Buffer;\n\n  constructor(config: SessionStorageConfig & { encryptionSecret?: string }) {\n    this.mode = config.mode;\n\n    if (config.mode === 'stateless') {\n      this.store = new InMemorySessionStore(); // Used only for allocation\n    } else if (config.store === 'memory') {\n      this.store = new InMemorySessionStore();\n    } else if (config.store === 'redis') {\n      // Redis store would be instantiated here\n      // For now, fall back to in-memory\n      // TODO: Implement RedisSessionStore\n      console.warn('[TransportSessionManager] Redis store requested but not implemented - falling back to in-memory');\n      this.store = new InMemorySessionStore();\n    } else {\n      this.store = new InMemorySessionStore();\n    }\n\n    // Derive encryption key from secret or generate one\n    const secret = config.encryptionSecret || process.env['MCP_SESSION_SECRET'];\n    if (!secret) {\n      if (process.env['NODE_ENV'] === 'production') {\n        throw new Error(\n          '[TransportSessionManager] MCP_SESSION_SECRET or encryptionSecret is required in production. ' +\n            'Set the MCP_SESSION_SECRET environment variable or provide encryptionSecret in config.',\n        );\n      }\n      // Development fallback - NOT secure for production\n      console.warn(\n        '[TransportSessionManager] Using machine ID as session encryption secret - NOT SECURE FOR PRODUCTION. ' +\n          'Set MCP_SESSION_SECRET or provide encryptionSecret in config.',\n      );\n    }\n    const effectiveSecret = secret || getMachineId();\n    this.encryptionKey = hkdfSha256(\n      Buffer.from(effectiveSecret),\n      Buffer.from('mcp-session-salt'),\n      Buffer.from('transport-session'),\n      32,\n    );\n  }\n\n  /**\n   * Create a new transport session for an authorization\n   *\n   * @param authorizationId - The authorization this session belongs to\n   * @param protocol - Transport protocol (sse, streamable-http, etc.)\n   * @param options - Additional session options\n   * @returns The created transport session\n   */\n  async createSession(\n    authorizationId: string,\n    protocol: TransportProtocol,\n    options: {\n      expiresAt?: number;\n      fingerprint?: string;\n      transportState?: TransportState;\n      tokens?: Record<string, EncryptedBlob>;\n    } = {},\n  ): Promise<TransportSession> {\n    const sessionId = this.store.allocId();\n\n    const session: TransportSession = {\n      id: sessionId,\n      authorizationId,\n      protocol,\n      createdAt: Date.now(),\n      expiresAt: options.expiresAt,\n      nodeId: getMachineId(),\n      clientFingerprint: options.fingerprint,\n      transportState: options.transportState,\n    };\n\n    if (this.mode === 'stateful') {\n      // Store session in persistent store\n      const stored: StoredSession = {\n        session,\n        authorizationId,\n        tokens: options.tokens,\n        createdAt: Date.now(),\n        lastAccessedAt: Date.now(),\n      };\n      await this.store.set(sessionId, stored);\n    }\n\n    return session;\n  }\n\n  /**\n   * Get an existing session by ID\n   *\n   * @param sessionId - The session ID (encrypted JWT or UUID)\n   * @returns The session if found and valid, null otherwise\n   */\n  async getSession(sessionId: string): Promise<TransportSession | null> {\n    if (this.mode === 'stateless') {\n      // Decrypt session from JWT\n      return this.decryptSessionJwt(sessionId);\n    }\n\n    // Stateful: lookup in store\n    const stored = await this.store.get(sessionId);\n    return stored?.session ?? null;\n  }\n\n  /**\n   * Get stored session with tokens (for orchestrated mode)\n   */\n  async getStoredSession(sessionId: string): Promise<StoredSession | null> {\n    if (this.mode === 'stateless') {\n      // In stateless mode, we don't have stored sessions\n      return null;\n    }\n    return this.store.get(sessionId);\n  }\n\n  /**\n   * Update session state\n   */\n  async updateSession(\n    sessionId: string,\n    updates: {\n      transportState?: TransportState;\n      expiresAt?: number;\n    },\n  ): Promise<boolean> {\n    if (this.mode === 'stateless') {\n      // Stateless sessions are immutable - caller should create new session JWT\n      return false;\n    }\n\n    const stored = await this.store.get(sessionId);\n    if (!stored) return false;\n\n    if (updates.transportState) {\n      stored.session.transportState = updates.transportState;\n    }\n    if (updates.expiresAt) {\n      stored.session.expiresAt = updates.expiresAt;\n    }\n    stored.lastAccessedAt = Date.now();\n\n    await this.store.set(sessionId, stored);\n    return true;\n  }\n\n  /**\n   * Delete a session\n   */\n  async deleteSession(sessionId: string): Promise<boolean> {\n    if (this.mode === 'stateless') {\n      // Stateless sessions can't be revoked\n      return false;\n    }\n\n    const exists = await this.store.exists(sessionId);\n    if (exists) {\n      await this.store.delete(sessionId);\n    }\n    return exists;\n  }\n\n  /**\n   * Encode a session as an encrypted JWT for the Mcp-Session-Id header\n   *\n   * @param session - The transport session to encode\n   * @param additionalState - Additional encrypted state for stateless mode\n   * @returns Encrypted session JWT\n   */\n  encodeSessionJwt(\n    session: TransportSession,\n    additionalState?: {\n      state?: unknown;\n      tokens?: Record<string, unknown>;\n    },\n  ): string {\n    const payload: SessionJwtPayload = {\n      sid: session.id,\n      aid: session.authorizationId,\n      proto: session.protocol,\n      nid: session.nodeId,\n      iat: Math.floor(Date.now() / 1000),\n      exp: session.expiresAt ? Math.floor(session.expiresAt / 1000) : undefined,\n    };\n\n    if (this.mode === 'stateless' && additionalState) {\n      const statelessPayload = payload as StatelessSessionJwtPayload;\n\n      if (additionalState.state) {\n        const encrypted = encryptAesGcm(this.encryptionKey, JSON.stringify(additionalState.state));\n        statelessPayload.state = `${encrypted.iv}.${encrypted.tag}.${encrypted.data}`;\n      }\n\n      if (additionalState.tokens) {\n        const encrypted = encryptAesGcm(this.encryptionKey, JSON.stringify(additionalState.tokens));\n        statelessPayload.tokens = `${encrypted.iv}.${encrypted.tag}.${encrypted.data}`;\n      }\n    }\n\n    return encryptJson(payload);\n  }\n\n  /**\n   * Decode an encrypted session JWT\n   *\n   * @param jwt - The encrypted session JWT\n   * @returns Decoded session or null if invalid\n   */\n  private decryptSessionJwt(jwt: string): TransportSession | null {\n    try {\n      // The encryptJson format is iv.tag.ct (base64url)\n      // We need to decrypt it using the same key\n      const parts = jwt.split('.');\n      if (parts.length !== 3) return null;\n\n      const [ivB64, tagB64, ctB64] = parts;\n      const iv = Buffer.from(ivB64.replace(/-/g, '+').replace(/_/g, '/'), 'base64');\n      const tag = Buffer.from(tagB64.replace(/-/g, '+').replace(/_/g, '/'), 'base64');\n      const data = Buffer.from(ctB64.replace(/-/g, '+').replace(/_/g, '/'), 'base64');\n\n      const decrypted = decryptAesGcm(this.encryptionKey, {\n        alg: 'A256GCM',\n        iv: iv.toString('base64url'),\n        tag: tag.toString('base64url'),\n        data: data.toString('base64url'),\n      });\n\n      const payload = JSON.parse(decrypted) as SessionJwtPayload;\n\n      // Validate expiration\n      if (payload.exp && payload.exp * 1000 < Date.now()) {\n        return null;\n      }\n\n      return {\n        id: payload.sid,\n        authorizationId: payload.aid,\n        protocol: payload.proto,\n        createdAt: payload.iat * 1000,\n        expiresAt: payload.exp ? payload.exp * 1000 : undefined,\n        nodeId: payload.nid,\n      };\n    } catch {\n      return null;\n    }\n  }\n\n  /**\n   * Check if a session exists and is valid\n   */\n  async sessionExists(sessionId: string): Promise<boolean> {\n    if (this.mode === 'stateless') {\n      const session = this.decryptSessionJwt(sessionId);\n      return session !== null;\n    }\n    return this.store.exists(sessionId);\n  }\n\n  /**\n   * Get the storage mode\n   */\n  get storageMode(): 'stateless' | 'stateful' {\n    return this.mode;\n  }\n}\n"]}